Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious or unwanted software.
Many end users make use of anti-virus software to detect and possibly remove malware. In order to detect a malware file, the anti-virus software must have some way of identifying it amongst all the other files present on a device. Typically, this requires that the anti-virus software has a database containing the “signatures” or “fingerprints” that are characteristic of individual malware program files. When the supplier of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is generated. The malware is then “known” and its signature can be distributed to end users as updates to their local anti-virus software databases.
Using approaches that solely rely on signature scanning to detect malware still leaves computers vulnerable to “unknown” or “zero day” malware programs/applications that have not yet been analysed for their signature. To address this issue, in addition to scanning for malware signatures, most anti-virus applications additionally employ heuristic analysis. This approach involves the application of general rules intended to distinguish the behaviour of any malware from that of clean/legitimate programs. For example, the behaviour of all programs/applications on a PC may be monitored and if a program/application attempts to write data to an executable file, the anti-virus software can flag this as suspicious behaviour.
Anti-virus applications typically provide on-demand scanning in which the user of a computer system determines when the files on the computer system should be scanned for the presence of malware. In on-demand scanning the user can activate the scanning process manually, or can configure the scanning process to start in certain circumstances. For example, the user could configure the anti-virus program to scan particular folders on a weekly basis, and to scan all the files on a computer system once a month. In addition, these anti-virus programs usually also provide real-time protection against malware by performing on-access scanning. In on-access scanning the computer system is monitored for the presence of malware by scanning files automatically in the background as and when the files are accessed.
When an application requires that some operation is performed on a file (e.g. that a file be opened, closed, or some data be written to the file etc), the application sends an input/output (I/O) request to the I/O system. The I/O system consists of a set of layered drivers whose actions are coordinated by the I/O manager.
The I/O manager manages communication between drivers. All drivers supply a standard set of services that the I/O manager can call. This uniform interface allows the I/O manager to communicate with all drivers in the same way. Drivers communicate with each other using data structures called I/O request packets (IRP). The drivers do not pass IRPs to each other directly. Instead, they pass the packets to the I/O manager, which delivers them to the appropriate destination drivers. The I/O manager therefore:                accepts I/O requests, which usually originate from user-mode applications;        creates IRPs to represent the I/O requests.        routes the IRPs to the appropriate drivers;        tracks the IRPs until they are completed; and        returns the status to the original requester of each I/O operation.        
The I/O system allows separate drivers to implement each logically distinct layer of I/O processing. For example, drivers in the lowest layer manipulate the computer's physical devices (these are called device drivers). Other drivers are then layered on top of the device drivers in a driver stack.
On-access scanning is therefore typically implemented using a filter driver of some form, or a minifilter implemented by a filter manager. A filter driver or minifilter can fit in at any layer of the driver stack and filters/intercepts IRPs passed to it from the next-higher or next-lower driver. Anti-virus programs therefore typically use a filter driver or minifilter to intercept requests to access a file, made by or on behalf of an application to the file system. An anti-virus program then intercepts any data that the application attempts to write to the file, and performs a scan of that data. However, the scanning of the file by the anti-virus program is performed synchronously, such that the operation of writing the data to the file cannot be completed whilst the anti-virus program is scanning the data. As such, the application's execution is blocked/prevented from progressing until the scan has been completed.
FIG. 1 illustrates the typical process implemented by a computer system when an anti-virus program performs synchronous on-access scanning. The steps performed are as follows:                A1. As part of its execution, an application requires that some data is written to a file. The application therefore requires that a new file or an existing file be opened. In Microsoft® Windows® the application calls a CreateFile function in order to create a new file or open an existing file. The CreateFile function returns a file handle that is associated with the file until either the process terminates or the handle is closed using the CloseHandle function. Any subsequent requests to open the file with the CreateFile function might fail until the handle is closed.        A2. The CreateFile function in turn calls the I/O manager that generates an I/O Request Packet (IRP) on behalf of the user-mode application, the IRP having the IRP_MJ_CREATE function code.        A3. The anti-virus program providing the on-access scanning functionality intercepts the IRP_MJ_CREATE request sent to the file system by the I/O manager. In doing so, the anti-virus program can identify when a new file is created or an existing file opened. The filter driver then sends the request on to its intended target, the computer's file system.        A4. The file system returns the IRP with a status indicating that the operation was successful, including the file handle of the file, completing the IRP.        A5. The filter driver intercepts the IRP returned in response in order to learn the file handle returned by the file system.        A6. The I/O manager then notifies the application that the CreateFile function was successful.        A7. Once the file has been created and/or opened the application then begins writing data to the file. In Microsoft® Windows® the application generates a WriteFile function call in order to write data to the open file specified by the file handle.        A8. The WriteFile function in turn calls the I/O manager that generates an IRP on behalf of the user-mode application, the IRP having the IRP_MJ_WRITE function code and identifying/pointing to the data to be written.        A9. The file system writes the identified data to the file and returns the IRP with a status indicating that the operation was successful, completing the IRP.        A10. The I/O manager then notifies the application that the WriteFile function was successful.        A11. Once the application has received the notification that the WriteFile function has been successful, it then calls a CloseHandle function in order to close the open file handle for the file.        A12. The CloseHandle function in turn calls the I/O manager that generates an IRP on behalf of the user-mode application, the IRP having either the IRP_MJ_CLEANUP or IRP_MJ_CLOSE function code.        A13. The filter driver intercepts the IRP_MJ_CLEANUP or IRP_MJ_CLOSE request made using the file handle and requests that a malware scanner of the anti-virus program scan the file identified by the file handle.        A14. The malware scanner then scans the file. If the result of the scan indicates that the file is clean (i.e. the file is not identified as being related to some form of malware), the malware scanner notifies the filter driver.        A15. The filter driver then forwards the intercepted IRP_MJ_CLEANUP or IRP_MJ_CLOSE request on to the file system.        A16. The file system closes the file and returns the IRP with a status indicating that the operation was successful, completing the IRP.        A17. The I/O manager then notifies the application that the CloseHandle function was successful.        A18. Only once the application has received a notification that the CloseHandle function has been successful will it then be able to continue with its execution by writing data to another file.        
In preventing the closure of the file handle until the file has been scanned for malware, this synchronous process of on-access scanning blocks the application from writing data to any other file until the malware scan has been completed. In other words, the application must wait until the malware scan has been completed before it can continue processing the file. As such, the anti-virus program prevents the execution of the application from progressing, slowing the rate at which it can complete its tasks, and therefore impacts on the performance of the computer system.